Hacking your head: how cybercriminals use social engineering

Hacking your head: how cybercriminals use social engineering

Social engineering is nothing new. It’s a tool of psychological manipulation that’s been used since the dawn of man. Why? To influence people into taking action that might not be in their best interest.

Sometimes it’s fairly harmless, like a child sweet-talking his mom to get extra candy. (I’m a victim of this one.) Many times, however, social engineering is used for nefarious purposes.

There are classic examples of social engineering at play throughout human history. Confidence tricks were first used by charmers in the 19th century to con people into trusting others with their valuables. (They should not have trusted…the charmers made off with the goods.) Psychological manipulation, otherwise known as propaganda, influenced droves of people during World War II to go out and buy war bonds. And advertising subtly hints that you’re not pretty enough until you buy this product.

Social engineering taps into the human psyche by exploiting powerful emotions such as fear, urgency, curiosity, sympathy, or the strongest feels of them all: the desire for free t-shirts.

Which is why cybercriminals have caught on.

Cybercrooks use this dangerous weapon to get at the weakest link: us. They know that the easiest way to penetrate a system is to go after the user, not the computer. “Attacking the human element has always been a favorite,” says Jean-Phillip Taggart, Senior Security Researcher at Malwarebytes. “Why use some hard technical flaw to acquire a password when you can simply ask the user for it?”

In fact, psychological cyberattacks are on the rise. “We are seeing an increase of blended attacks that rely on a combination of social engineering and malicious software,” says Taggart. For example, a popular social engineering tactic is the technical support scam. An alert pop-up will appear on the screen that tells the user he is infected and needs to download a malware application and/or call this number to have a technician help you. The user, fearful of infection, will download the fake antivirus application or call up the technician, both of which are vehicles for delivering malware instead of eradicating it, and/or scamming people out of their money.

So how are the criminals distributing their social engineering schemes? Here are some of the most prevalent ways social engineering is used today.


“Huge snake eats man alive!” Have I got your attention? What if I posted a link to a video of the ordeal? You just might be tempted to click, especially because many legitimate articles and other pieces of content use similarly eye-catching headlines to get people to look at their stuff. Cybercriminals get this, and they exploit it.

A particularly popular approach is to capitalize on the innately human desire to crane one’s neck to see an accident on the side of the road. So beware of links to overly graphic terrorist attack images, natural disasters, and other tragedies. They just may lead to malicious websites that can siphon off personal data or drop infections on machines via malvertising.

Watering hole attacks

One of the things cybercriminals do best is collect information about their targets. Browsing habits tell a lot about a person, which is why that ad for cat sweaters keeps popping up in your Facebook feed. Cybercriminals use this information the go after the sites most visited by their target group. Once they discover a particular website is popular with their targets, they infect the site itself with malware. For example, hackers knew the iPhone Dev SDK forum was frequently visited by Facebook, Apple, and other developers. They compromised the website, set up an exploit, and ended up infecting a lot of people.

Social media attacks

Social media attacks can be particularly dangerous because criminals mess with your mind in two ways. First, they make digs at your personal information, perhaps teasing you about a new look. “Cybercriminals know that one of the biggest vulnerabilities people have is their self-image,” says Adam Kujawa, Director of Malware Intelligence at Malwarebytes. “People are worried about what others think of them.” Second, they make their messages appear to come from a friend, which makes the insult sting that much more.

This two-pronged approach can be accomplished in one attack. You might receive a message from your ex-boyfriend that says, “lol, is this your new profile pic?” (with a picture of a walrus). The picture has a link. You click on it, because what the heck, ex-boyfriend?! And—would you look at that!—you’re infected with malware.

Ransomware attacks

Ransomware is nasty business. It’s also social engineering at its finest/worst. Ransomware is a type of malware that holds your files or part of your system ransom. To return access, you must pay cybercriminals. People who want their precious data back might pay up right away. But for those who need additional scare tactics, criminals have come up with law enforcement scams that make it appear as though the U.S. Department of Justice or FBI Cybercrime division are contacting you to claim that you’ve done something illegal.

Even worse, some cybercriminals will stoop to the level of claiming they found child pornography on your computer—and then display a piece of said child pornography. So, they say, pay up and we’ll make it go away. Users, naturally, tend to panic when faced with a message about child pornography that seems to come from law enforcement. This gross tactic has even lead, in extreme cases, to people committing suicide.

Phishing/spear phishing

If your dad has ever fallen for the old Nigerian prince tale, then guess what? He was phished. Phishing is a form of social engineering that relies on fooling people into handing over money or data via email. Bad guys accomplish this by sending a generic message out to a huge mass of people that might say something like, “You won $1 million! Click here for your reward!” Sadly, there are those that still fall for this.

However, in recent years cybercriminals have upped their phishing game with more sophistication. Spear phishing emails are crafted to make targeted victims believe they’re from legitimate sources. The messages might appear to come from banks or businesses and could include full names, usernames, and other personal info. Crooks know that if you get an email that looks like it’s from your medical provider and it’s talking about a surgery you had last year, you will likely believe it.

So how can you fend of these psychological attacks? Here are a few tried and true methods:

  • Equip yourself with top-of-the-line cybersecurity programs that include technologies to fight off attacks from multiple angles, including blocking exploits, ransomware, adware, and other forms of malware. These can fight off social engineering attacks from a technical standpoint.
  • Anonymize your data by using the privacy features of your browser. It’s also a good idea to clear cookies every once in a while.
  • Lock down privacy settings on social media accounts. Make sure you’re making information available only to those you wish to have it.
  • Use an ad blocker to fend off malvertising and cryptomining attempts via browser.
  • Use the right software and hardware systems. If you just use your computer to surf the web, you probably don’t need a powerful processor or the Adobe suite. “Every piece of software you put on your computer has potential vulnerabilities,” says Jérôme Segura, Head of Investigations, Malware Intelligence, at Malwarebytes. “The more you have, the greater your surface of attack is on a particular machine.”
  • Finally, and most importantly, use common sense. A healthy dose of skepticism goes a long way. Verify information. Contact the claimed source. “Trust your gut feeling,” says Taggart. “If it feels too good to be true, it probably is. If it feels slightly off, it probably is. Stop and think about what is being asked of you.”


Wendy Zamora

Editor-at-Large, Malwarebytes Labs

Writer, editor, and author specializing in security and tech. Content guru. Lover of meatballs.